Siemens SCALANCE X Switches (Update B)
Act Now9.1ICS-CERT ICSA-21-012-02Jan 12, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SCALANCE X switches do not generate a unique random key after factory reset and instead use a hardcoded private key that is shipped with the firmware. This hardcoded key is the same across all devices of the same model and firmware version. An attacker who obtains or derives this private key can decrypt TLS/HTTPS traffic to the device, impersonate the switch, or intercept and modify encrypted management communications. The vulnerability affects the X-200, X-200IRT, X-200RNA, and X-300 switch families across multiple firmware versions. Siemens has released patched firmware versions that generate unique keys during initialization.
What this means
What could happen
An attacker with network access to a SCALANCE X switch could intercept encrypted communications using the hardcoded private key shipped in the firmware, potentially allowing them to impersonate the switch, intercept configuration traffic, or modify network behavior without authentication.
Who's at risk
Water authorities and electric utilities using Siemens SCALANCE X managed Ethernet switches in their control networks should care. This affects SCALANCE X-200, X-200IRT, X-200RNA, and X-300 switch families (including industrial SIPLUS NET variants). Any switch running firmware versions before the patched versions is at risk if connected to a network where an attacker could capture management traffic.
How it could be exploited
An attacker with network access to the switch can capture encrypted traffic (such as HTTPS or TLS connections to the web interface or management port 502). Because all devices ship with the same private key, the attacker can use publicly known key material to decrypt this traffic, extract credentials, or forge certificates to impersonate the device and inject malicious commands into network streams.
Prerequisites
- Network access to the SCALANCE X switch (typically management ports like 80/443 or Modbus TCP port 502)
- Ability to capture encrypted traffic or initiate TLS connections to the device
- Knowledge of the hardcoded private key (which is shipped in all firmware images and publicly documented in Siemens advisory SSA-274900)
Remotely exploitableNo authentication required if traffic is intercepted passivelyLow complexity attack (uses publicly documented key material)Affects network infrastructure and potentially safety system communicationsHigh CVSS score (9.1) reflects confidentiality and integrity impact
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
SCALANCE X-200 switch family (incl. SIPLUS NET variants)<V5.2.55.2.5
SCALANCE X-200IRT switch family (incl. SIPLUS NET variants)<V5.5.05.5.0
SCALANCE X-200RNA switch family<V3.2.73.2.7
SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants)<V4.1.04.1.0
Remediation & Mitigation
0/7
Do now
0/2WORKAROUNDReplace the default self-signed X.509 certificates with your own trusted certificates (remove certificates with SHA-1 fingerprint F2:C8:3B:8F:86:27:74:AA:60:EC:D4:A0:CF:0D:BE:A6:D1:FE:22:12 and SHA-256 fingerprint 25:60:DB:B3:F9:07:9D:69:0E:DD:A9:EB:4E:1C:D5:8E:AF:79:16:C3:C8:13:A6:F6:59:AD:05:E4:6F:77:F7:72)
HARDENINGRestrict network access to management ports (80, 443, 502) using firewall rules and access control lists; allow only authorized engineering workstations and network management servers
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
HOTFIXUpdate SCALANCE X-200 switches (including SIPLUS NET variants) to firmware version 5.2.5 or later
HOTFIXUpdate SCALANCE X-200IRT switches (including SIPLUS NET variants) to firmware version 5.5.0 or later
HOTFIXUpdate SCALANCE X-200RNA switches to firmware version 3.2.7 or later
HOTFIXUpdate SCALANCE X-300 switches (including X408 and SIPLUS NET variants) to firmware version 4.1.0 or later
Long-term hardening
0/1HARDENINGSegment SCALANCE X switches onto protected management networks isolated from untrusted networks and external internet access
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/02ac4ef4-fd81-40a3-a3d5-94e2f4bf390c